Second Root Cert-Private Key Pair Found On Dell Computer

msm1267 writes: A second root certificate and private key, similar to eDellRoot [mentioned here yesterday], along with an expired Atheros Authenticode cert and private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop. The impact of these two certs is limited compared to the original eDellRoot cert. The related eDellRoot cert is also self-signed but has a different fingerprint than the first one. It has been found only on two dozen machines according to the results of a scan conducted by researchers at Duo Security. Dell, meanwhile, late on Monday said that it was going to remove the eDellroot certificate from all Dell systems moving forward, and for existing affected customers, it has provided permanent removal instructions (.DOCX download), and starting today will push a software update that checks for the eDellroot cert and removes it. The second certificate / key pair was found by researchers at Duo Security.

Unavoidable

[edtice1559]

I feel bad for those who switched from Lenovo to Dell after the SuperFish fiasco.

Wait, they shipped the private key?

[mi]

private key used to sign Bluetooth drivers has been found on a Dell Inspiron laptop

So, the happy owners of the affected laptops can now issue certificates and/or sign drivers, which will be accepted as genuine by other owners of Dell hardware?

Seriously? If so, that's just too dumb to be malicious...

A word document?

[jlv]

Why were the removal instructions provided as a word document? They couldn't just have a simple web page with pictures?